PCI DSS Compliance: The Promise and The Peril of Data-Rich Call Centers

By Kristyn Emenecker

Today’s call centers hold great promise. This data intensive environment has the potential to yield insights for differentiated service, customer loyalty, and customer acquisition. But this information-rich environment must be carefully guarded to avoid potentially serious breaches.

Call centers must comply with a myriad of data security regulations and requirements. One such set of requirements is the Payment Card Industry Data Security Standards, known as PCI DSS.

PCI DSS Overview: Although introduced in 2006, some organizations may just be learning of PCI DSS requirements. PCI DSS is a mandatory data security compliance program that applies to all entities that process, store, or transmit credit, debit, or other payment cards, at any volume. Entities affected include merchants and third-party providers and applies to card business transacted over all payment channels.

Compliance with current PCI DSS requirements (now version 2.0) can be a challenge. Fairly straightforward standards are issued every three years, but guidance for requirements are updated often and can be lengthy as well as subjective, and PCI DSS-certified entities are held accountable to the latest guidance.

Compliance is not a “one-and-done” endeavor, either. Merchants and third-party providers must file a compliance certificate annually, and certification must be on file at the merchant bank.

Call Center Issues with PCI DSS Compliance: A call center’s data intensive environment – including digital call recording, combined with employee turnover, open physical environments, and potential off-site staff – means that data security requires constant vigilance. There are three issues that call center managers need to be aware of.

First, digital call recording can present challenges when it comes to complying with PCI DSS’s data storage requirements. Call recording is a valuable tool for quality control and fraud prevention, but presents a double-edged compliance sword when, by nature of containing sensitive data, it could itself be used as a data source for fraud, as was the case in a well-cited UK investigative report.

PCI DSS: Data Storage Requirements

  • PCI DSS allows data to be stored, but it must be protected: primary account number (PAN), cardholder name, expiration date on card, and service code.
  • PCI does not allow other data to be stored, even if encrypted: full magnetic stripe, PIN/PIN block, and CAV2/CID/CVC2/CVV2 (3-digit code on back of card); CID code (4-digits on front of AMEX card).

Suggested Protection Mechanisms for Call Recordings

  • Use end-to-end encryption: encrypt audio and screens at acquisition and decrypt only at playback.
  • If CVV2/CID is taken, then pause and mute or tone-over audio recording while caller speaks the code.
  • Alternatively, have the consumer provide credit card data via self-service/IVR to avoid agent handling and recording.

Second, a call center’s open physical layout may put data security at risk. The traditional open floor plan and low dividing walls that facilitate easy supervisor intervention on a call center floor can also allow for “shoulder surfing,” the act of viewing sensitive data on a co-worker’s computer screen without authorization to do so. Some call centers locate approved workers who process sensitive data in separate areas.

Third, regarding at-home agents, PCI DSS requires two-factor authentication for those workers who have access to the cardholder data environment. In addition, remote agents should work on a separate segment of the company data network, protected by an internal firewall.

Cost of Non-Compliance: While cost of compliance can be high, the cost of non-compliance and a potential security breach can be even higher from both a monetary and reputation perspective. Non-compliant merchants and third-party providers face stiff penalties from the card issuer including a fine per incident, increased fees and restrictions, and removal of processing privileges, should there be a breach.

Security breach costs also extend beyond PCI penalties. Costs may include irate customers, lawsuits, heavy regulatory oversight, lost goodwill, and lost business. According to the Ponemon Institute’s 2011 Cost of Data Breach Study: United States, the average security breach cost in 2011 was $5.5 million, and the average cost per record was $194.

Five Tips for PCI DSS Compliance

1) Know How PCI DSS Requirements Affects Your Business: The PCI DSS Quick Reference Guide outlines the twelve requirements of PCI DSS v2.0.

2) Take Key Steps Toward PCI DSS Compliance

  • Contact your acquirer or card issuer
  • Conduct a scoping exercise
  • Engage a QSA (qualified security assessor)
  • Engage an ASV (approved scanning vendor)
  • Continuously engage in proactive maintenance and re-evaluation

3) Develop a Prioritized Approach: The PCI Security Standards Council has provided a prioritized approach for pursing PCI DSS compliance (version 2.0), aligning the twelve PCI DSS requirements with six key milestones.

4) Keep Current: Because guidance for PCI Compliance is regularly updated, make sure to stay informed, particularly on guidance related to your business type. For contact centers, the supplemental guide for protecting telephone-based data will be especially relevant.

5) Work with the Right Partners: Consider a cloud solution for your contact center infrastructure, and let someone else handle the headaches. Cloud solutions are often run by sophisticated IT experts. Bob Kendall of Hitachi reports, “We moved to the cloud because we found that cloud solutions adhere to the highest security standards.”

If you choose a hosted or cloud-based solution:

  • Choose a partner that is PCI DSS-certified. This is an absolute must if they will come in contact with your customer’s payment card data. No exceptions.
  • Choose a member of the Cloud Security Alliance (CSA). The CSA is a group of elite companies that have demonstrated their knowledge of the cloud and how to secure it.

Work with security experts who are familiar with technologies that offer PCI DSS scope reduction, such as point-to-point encryption and tokenization. And finally, ensure your payment application is PA-DSS-certified. The list of approved vendors can be found online.

Create Tomorrow’s Contact Center Today: It is possible to create tomorrow’s contact center today by harnessing the power and promise of data to meet strategic business objectives while ensuring data security and compliance. Organizations can and should strive to provide security and quality at every touch point in the contact center, while staying focused on their main goal: creating great customer experiences.

Kristyn Emenecker, vice president of product marketing for inContact, has eighteen years of experience in the contact center industry, serving in a variety of operational, consultant, and senior leadership roles. She is active in a number of industry groups, published in multiple trade journals, and a regular on the industry speaking circuit. Follow Kristyn on Twitter: @LIVinEden.

[From Connection Magazine May 2013]

Leave a Reply

%d bloggers like this: